Cyber Risk Consulting Black Hat Briefings Europe 2004 White Paper : Smartphone Security Issues CYBER NETWORKS Blackhat Briefings Europe 2004 White Paper : Smartphone Security Issues Luc Delpha Consultant Manager Maliha Rashid Security Consultant Cyber Risk Consulting May 2004 Abstract Mobile phones are becoming more and more like computers today, resulting in smartphones that combine processing power with always on connectivity to the Internet. Mainstream availability makes these devices potentially dangerous to organisations, extending the information system beyond the frontiers of the traditional trusted perimeter. This white paper discusses the security issues surrounding the use of these devices. 22, rue Edouard Nieuport - 92150 Suresnes - Tel. : 01 42 04 95 95 - Fax : 01 42 04 95 87 SA au capital de 74 800 € - RCS Nanterre B 403 366 503 - APE 721Z 1 Cyber Risk Consulting Black Hat Briefings Europe 2004 White Paper : Smartphone Security Issues TABLE OF CONTENTS 1 INTRODUCTION ........................................................................................................................ 3 1.1 WHY SMARTPHONES? ............................................................................................................ 3 1.2 SMARTPHONE CARACTERISTICS............................................................................................. 3 1.3 SMARTPHONES AND WIRELESS NETWORKS............................................................................ 4 1.3.1 Bluetooth............................................................................................................................ 4 1.3.2 GPRS ................................................................................................................................. 5 2 THE RISKS................................................................................................................................... 7 2.1 SECURITY RISKS RELATED TO THE INHERENT CHARACTERISTICS OF SMARTPHONES............ 7 2.2 SECURITY RISKS RELATED TO THE USERS .............................................................................. 7 2.3 SECURITY RISKS RELATED TO WIRELESS NETWORKS............................................................. 8 2.3.1 Bluetooth............................................................................................................................ 8 2.3.2 GPRS ................................................................................................................................. 9 2.4 SECURITY RISKS RELATED TO THE APPLICATIONS : STAND-ALONE (JAVA MIDLETS) – BROWSER-BASED................................................................................................................................. 9 2.4.1 Java MIDlets...................................................................................................................... 9 2.4.2 Browser issues ................................................................................................................. 10 3 THE CHALLENGES ................................................................................................................. 11 3.1 LEGAL ISSUES AND SECURITY POLICY ................................................................................. 11 3.2 A SECURE FRAMEWORK FOR SMARTPHONES ....................................................................... 11 3.3 PERSPECTIVES ...................................................................................................................... 12 4 CONCLUSION ........................................................................................................................... 13 5 REFERENCES ........................................................................................................................... 14 6 ABOUT THE SPEAKERS......................................................................................................... 15 ©2004 CYBER NETWORKS Page 2 sur 15 Reproduction interdite sans autorisation écrite préalable Cyber Risk Consulting Black Hat Briefings Europe 2004 White Paper : Smartphone Security Issues 1 INTRODUCTION Access to information and communication on the move is not only possible today, it is critical to maintain a competitive edge. Emerging wireless technologies make it possible to access the web, email, business applications and to synchronise calendars, contacts and other applications, in real-time, anytime, anywhere. Today’s mobile phones combine these wireless technologies with dedicated operating systems and advanced multimedia functionalities, thus the term smartphone. Smartphones facilitate the flow of information over heterogeneous networks, through untrusted domains. This flow of information represents risks for the owner of the smartphone and for the owner of the information. Given their growing popularity, smartphones need to be acknowledged when considering an information system, and more particularly when considering the security of any information system. After an introduction to the functionalities and architecture of smartphones (Symbian…), an overview of the technical risks associated with smartphone connectivity to wireless networks (Bluetooth, GPRS…) and malicious mobile code (Java MIDP) amongst others will follow. Legal issues will then be addressed, with a focus on the legal limits on controlling the use of such devices, and the share of legal responsibility. 1.1 Why smartphones? Given the gadget appeal of smartphones and their mainstream availability, smartphones are growing in popularity. Since smartphones are primarily used and sold for their phone function, they target a much wider population than traditional PDAs (Personal Digital Assistants). Although smartphones are primarily acquired for personal use, their organiser and mail functions tend to be used for professional purposes. In a corporate setting, it is difficult to control the use of these devices to that effect. This difficulty is due to practical and legal limitations, and remains even when the smartphone is acquired for corporate purposes because of the highly personal level of interaction with the device. 1.2 Smartphone caracteristics Aside from vocal communications over GSM and GPRS networks, smartphones provide web browsing, email and organiser functions, as well as advanced multimedia capabilities such as high resolution colour screens, digital cameras, mp3 players as well as support for Java applications. Smartphones allow users to synchronise PIM (Personal Information Management) Data (calendar, contacts, tasks) and email using protocols such as SyncML, HotSync, ActiveSync or IntelliSync over Bluetooth, IrDA or GPRS. Smartphones today are equipped with full fledged, purpose-built operating systems, designed for optimising resources. The dominating operating systems are Symbian, Windows Mobile and PalmOS. Smartphones running Linux are also available today (Motorola A760). Figure 1 details the architecture of version 8.0 of Symbian OS [1]. ©2004 CYBER NETWORKS Page 3 sur 15 Reproduction interdite sans autorisation écrite préalable Cyber Risk Consulting Black Hat Briefings Europe 2004 White Paper : Smartphone Security Issues Figure 1 : Architecture of Symbian OS version 8.0 Applications Kernel / Utilities Symbian OS version 8.0: Is based on a hard real-time micro kernel that implements multi threading and multi tasking (variant EKA2) Provides support for the latest CPU architectures, peripherals, internal and external memory types Comes equipped with application engines for PIM, messaging, browsing, utility and system control, Java, Bluetooth, gaming, 3D graphics (Open GL libraries) 1.3 Smartphones and wireless networks Smartphone design is focused on facilitating the exchange and flow of information, using the latest wireless technologies to this effect. Wireless technologies used today range from Wireless PANs such as Bluetooth to Wireless WANs such as GPRS (General Packet Radio Service). Details of the protocols that stand out today are listed below. 1.3.1 Bluetooth Bluetooth is defined by a core specification and a set of profiles related to different use cases. As described in Figure 2, the core system outlines the four lower layers and their associated protocols [2]: Radio Layer Baseband Layer Link Manager Layer L2CAP (Logical Link Control and Adaptation Protocol) Layer ©2004 CYBER NETWORKS Page 4 sur 15 Reproduction interdite sans autorisation écrite préalable Cyber Risk Consulting Black Hat Briefings Europe 2004 White Paper : Smartphone Security Issues The core system also covers : A common service protocol : SDP or Service Discovery Protocol the overall requirements for profiles : GAP or Generic Access Profile Figure 2 : Core specification 1.2 The profiles commonly used in smartphones are : Service discovery application profile Synchronization profile Generic Object Exchange Profile The Generic Object Exchange profile uses the OBEX protocol designed by the IrDA association [3]. The OBEX or Object Exchange Protocol is a binary equivalent of HTTP, providing object exchange services through Push (PUT method) and Pull (GET method) functions. Because interoperability of devices is a priority in Bluetooth, the specification is deliberately not explicit about implementation. 1.3.2 GPRS The General Packet Radio Service makes use of the GSM infrastructure, allowing higher data rates through a packet switched IP backbone. GPRS networks provide always on Internet connectivity, as described in Figure 3, through two main elements : The SGSN or Serving GPRS
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages15 Page
-
File Size-